- >= 2.2.0
activeresource contains a format string flaw in the request function of lib/active_resource/connection.rb. The issue is triggered as format string specifiers (e.g. %s and %x) are not properly sanitized in user-supplied input when passed via the ‘result.code’ and ‘result.message’ variables. This may allow a remote attacker to cause a denial of service or potentially execute arbitrary code.